How to Use the Investigations Feature in Spyderbat

This guide covers how to work with the Causal Tree inside a Process Investigation. If you haven't opened an investigation yet, see Investigations for how to get started.

Adding Records to the Causal Tree

From the Records panel on the left side of the Investigation view, you can add records to the Causal Tree in several ways:

• Star icon — Click the star on any record row to add that individual record to the graph

• Add All — Click the Add All button above the records table to add every visible record at once

• Show in Graph — If a record is already displayed in the tree, this button pans the view to that node

Once records are on the graph, the Causal Tree renders their causal relationships — which process spawned which, what connections were made, and how events chain together.

Toolbar

The toolbar at the top of the Causal Tree provides controls for managing the graph view:

• Clear All (trash icon) — Removes all nodes from the graph. Use undo if you clear by mistake.

• Undo / Redo — Step backward or forward through actions performed on the tree (adding nodes, removing nodes, etc.)

• Auto Focus — Centers and zooms the view to fit all currently displayed nodes

• Zoom In / Zoom Out (magnifying glass icons) — Adjust zoom level. You can also scroll with your mouse wheel.

• Highlight nodes — A dropdown that color-codes nodes by a selected attribute (e.g., Container UID). Nodes sharing the same value get the same color, making it easy to spot container or host boundaries.

• Options — Opens a dropdown with display toggles (see Options Dropdown below)

• Copy Investigation Link (top right) — Generates a permalink that captures the current state of the investigation (which nodes are displayed, which are selected). Links are not public — the recipient must be a member of your organization with read access. Share with a colleague for collaborative analysis or save for future reference.

• Summarize (top right) — Produces an AI-generated summary of the investigation's findings.

Navigating Nodes

At the bottom of the Causal Tree, two navigation buttons let you step through nodes chronologically:

• Previous node — Jump to the node that occurred before the current selection

• Next node — Jump to the node that occurred after the current selection

This is especially useful when reviewing a sequence of commands or events in the order they happened.

Selecting and Inspecting Nodes

Left-click a node to select it. Selecting a node:

1. Shows detailed metadata in the Details panel below the tree

2. Highlights the corresponding record in the Records table

Right-Click Context Menu

Right-click a node to open a context menu organized into sections.

Top actions:

• Details View — Open the full details view for this node

• Set Time in Time Picker — Set the time range to this node's timestamp

• Open Subtree in New Tab — Open this node's subtree in a separate browser tab

LOAD — Load related objects that are already within the enabled Data Layers:

• Load Descendent Connections — Bring in network connections causally related to this node

REMOVE — Prune the graph by removing nodes:

• Remove Self — Remove the selected node and its dependents. Useful for pruning irrelevant branches (e.g., removing a bash process removes all its child processes).

• Remove Descendants — Remove all nodes downstream from the selected node

• Remove with name — Remove all nodes sharing the same process name

• Remove with cgroup — Remove all nodes in the same cgroup (Kubernetes pod)

• Remove Everything Else — Keep only the selected node's subtree, removing all other nodes

SEARCH — Search across all time known to Spyderbat and load results as a new Data Layer. This is how you find activity outside the original query time range:

• Search For Child Processes — Find directly spawned child processes

• Search For Descendent Processes — Find all downstream processes

• Search For Child Connections — Find network connections from child processes

• Search For Red Flags — Find security-relevant flags associated with this node

• Search For Ops Flags — Find operational flags associated with this node

• Search By euser / auser — Find activity by the same effective or audit user

Options Dropdown

Click Options in the toolbar to access display toggles:

• Hide Threads — Hide thread-level processes to reduce visual clutter

• Show Relative Time — Display a relative timestamp on each node (e.g., "45ms", "-1y") based on the currently selected node. This is useful when reviewing traces that span long periods — it makes the temporal distance between activities immediately visible.

• Hide Future Nodes — Hide nodes that occur after the selected node's timestamp

• Hide Container Box — Hide the container grouping outlines around nodes

• Hide Process Context Box — Hide the process context grouping outlines

Data Layers

Every search or dashboard card that feeds into the investigation creates a Data Layer. Data Layers let you:

• Toggle subsets on/off — Disable a layer to hide its records from both the Causal Tree and Records table, letting you focus on a specific data set

• Isolate activity — Enable only one layer to view only that subset of records in both the tree and tabular format

The Data Layers section appears in the Records panel, showing the layer count (e.g., "Data Layers (2)") and checkboxes to toggle each layer.

Related Pages

• Investigations overview — Records Panel, Causal Tree, and Details Panel reference

• Search — Query language for finding Spydertraces to investigate

• Dashboards — Launch investigations from dashboard cards

• Spydertrace Summarize — AI-generated investigation summaries